Certified Information Privacy Professional – Europe (CIPP/E) — Question 73

Bioface is a company based in the United States. It has no servers, personnel or assets in the European Union. By collecting photographs from social media and other web-based services, such as newspapers and blogs, it uses machine learning to develop a facial recognition algorithm. The algorithm identifies individuals in photographs who are not in its data set based the algorithm and its existing data. The service collects photographs of data subjects in the European Union and will identify them if presented with their photographs. Bioface offers its service to government agencies and companies in the United States and Canada, but not to those in the European Union. Bioface does not offer the service to individuals.
Why is Bioface subject to the territorial scope of the General Data Protection Regulation?

Answer options

• A. It collects data from European Union websites, which constitutes an establishment in the European Union.
• B. It offers services in the European Union by identifying data subjects in the European Union.
• C. It collects data from subjects and uses it for automated processing.
• D. It monitors the behavior of data subjects in the European Union.

Correct answer: D

Explanation

Bioface is subject to the General Data Protection Regulation because it actively monitors the behavior of data subjects in the European Union, which triggers the regulation's territorial scope. Options A, B, and C do not accurately reflect the reason for jurisdiction, as they either misstate the nature of services offered or focus on data collection without addressing the monitoring aspect.